This chapter provides the basic context in which this report is being written. Chapter 2 of this report introduces some basic concepts of signals intelligence (SIGINT) and provides some key definitions. Chapter 3 presents use cases—scenarios in which bulk collection may make contributions to intelligence investigations. Chapter 4 presents the committee’s technical conclusions about the use of bulk collection. Chapter 5 describes ways of protecting information gathered through SIGINT processes. Chapter 6 looks to the future. Appendix A makes some observations about how the committee addressed its charge.
In January 2014, President Obama addressed the nation and the broader global community to explain U.S. policy regarding the collection of foreign intelligence.1 In this speech, he explicitly acknowledged that U.S. government collection and storage of bulk data “creates a potential for abuse,” but he explained that signals intelligence data were collected only for “legitimate national security purposes” and that the government had no interest in using any collected data to target minorities or
1 The White House, “Remarks by the President on Review of Signals Intelligence,” Office of the Press Secretary, January 17, 2014, http://www.whitehouse.gov/the-press-office/2014/01/17/remarks-president-review-signals-intelligence.
suppress any political activity. He clarified that the use of any bulk collection of SIGINT was even more limited, explicitly stating that it could be used only for six specific security requirements: “counterintelligence; counterterrorism; counterproliferation; cybersecurity; force protection for our troops and our allies; and combating transnational crime, including sanctions evasion.”
While defending the nature of American collection and use of bulk data to support national security, the President also acknowledged how many in America and around the world might still be concerned. He declared an interest in exploring how the United States can preserve current intelligence capabilities but with less government collection and storage of bulk data. He conceded that it would not be easy to “match the capabilities and fill the gaps that the [metadata2 collection program] was designed to address,” but he is committed to exploring several options that might enhance protections of privacy, including decreasing the number of “hops” in a contact network search to two from three, having the Foreign Intelligence Surveillance Court (FISC) review reasonable and articulable suspicion (RAS) selectors and identifying a means to have the storage of the bulk metadata occur outside the federal government.
Shortly after the President’s speech, the White House released Presidential Policy Directive 28 (PPD-28),3 the topic of which was U.S. policy on SIGINT. PPD-28 both laid out the principles that govern how the U.S. collects SIGINT and strengthened executive branch oversight of SIGINT activities. PPD-28 seeks to ensure that U.S. policy takes into account security requirements, alliances, trade and investment relationships (including the concerns of U.S. companies), and the U.S. commitment to privacy and basic rights and liberties. The document also promised review of U.S. decisions about intelligence priorities and sensitive targets by the President’s senior national security team on an annual basis.
Of most importance to this report, PPD-28 requested the Office of the Director of National Intelligence (ODNI) to “assess the feasibility of creating software that would allow the Intelligence Community more easily to conduct targeted information acquisition rather than bulk collection.” In turn, ODNI asked the National Academies to study and report on this question. The Committee on Responding to Section 5(d) of Presidential Policy Directive 28: The Feasibility of Software to Provide Alternatives to Bulk Signals Intelligence Collection was formed in response.
2 The term metadata is defined in Section 2.3. Loosely, for telephone calls it includes calling and called number, and time and duration of call, but not any content of the call.
3 See The White House, Presidential Policy Directive/PPD-28, “Signals Intelligence Activities,” Office of the Press Secretary, January 17, 2014, http://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities.
The broader context for the committee’s report includes the many security threats the United States faces, issues of international relations and global competitiveness, balanced against privacy and civil-liberties concerns. The committee believes that both the public and national security officials recognize the need for surveillance to anticipate, disrupt, and respond to national security threats (such as terrorism). Indeed, recent events make clear that national security threats will continue to be dynamic and more unpredictable than those during the Cold War, so that effective intelligence capabilities will remain essential.
At the same time, disclosures by Edward Snowden about the extent and nature of U.S. intelligence collection have raised concerns about the appropriate balance between the surveillance needed to achieve national security and respect for individual privacy. The revelations have complicated U.S. relations with other nations. (This is true even as some of these same nations have benefitted—and continue to benefit—from U.S. intelligence collection.) A number of foreign nations have threatened to avoid Internet-delivered products and services offered by U.S. information technology vendors because of insecurities alleged in these disclosures.4 The magnitude of the financial impact is unclear at this point;5 what is clear is that increased attention to U.S. intelligence collection has made the international marketplace a more challenging environment for U.S. companies.
The Snowden disclosures have also generated a range of concerns about privacy and civil liberties. In the United States, tension over potential government infringement of personal liberties goes back to the founding of the republic. In the recent past, domestic legislation and case law have worked to create a balanced approach to surveillance of telephone communications. But new technologies—and how government authorities use such technologies—have always posed challenges for existing law and practice. Technological advancements can undo a previously agreed-upon consensus. In the controversy that gives rise to this report, domestic public concerns about privacy and civil liberties have often been expressed as concerns about the “[U.S.] government spying on innocent Americans.” Abroad, a Pew poll in July 2014 indicated that in most coun-
4 Whether this reason is in some sense “sincere,” or a cover for protectionism is unclear. But it may not matter. Whether perception or reality, U.S. leadership has concluded that the upset created is sufficient to require a response.
5 For example, a New York Times article of March 2014 reports on estimates of losses to U.S. technology companies ranging from $35 billion to $180 billion by 2016. See Claire Cain Miller, “Revelations of N.S.A. Spying Cost U.S. Tech Companies,” The New York Times, March 21, 2014, http://www.nytimes.com/2014/03/22/business/fallout-from-snowdenhurting-bottom-line-of-tech-companies.html?_r=0.
tries surveyed, the majority of their publics opposed U.S. surveillance of their citizens or their leaders.6 Foreign leadership, including that of traditionally close U.S. allies, expressed significant public anger in the immediate aftermath of the Snowden disclosures.7
Recent disclosures have amplified two underlying trends in the United States: distrust of government and concerns about privacy, especially privacy of data and communications. These trends put pressure on SIGINT techniques and practices, which in turn may affect the quality of intelligence they provide. But another attack of the magnitude of the 9/11 attacks would quickly raise expectations for the capabilities of U.S. intelligence generally and surveillance in particular. Actions by Congress and the executive branch in the wake of the 9/11 attacks rapidly resulted in substantive changes that are now being questioned after more than a decade of relative domestic security. As this cycle may easily repeat, it is all the more imperative to examine now the value of bulk collection and potential alternatives while there is time to reflect thoughtfully on the issues such collection poses.
As the committee proceeded with its work, it became clear that public confidence in the management of intelligence programs is essential and might be enhanced through even greater use of automation in managing oversight structures. To provide the context for the committee’s subsequent discussion, particularly on ways to automate oversight strategies, this section provides a brief overview of the constitutional and legal framework that currently governs intelligence surveillance activities. Mindful that many long-standing legal interpretations are now under review by Congress and have also been challenged in lower federal courts, and that there has been no final disposition of these questions by either Congress or the Supreme Court, the committee does not discuss the current legal debate in depth.
Among the nations of the world (including the Western democracies), the United States is the most open in the regulation of its intelligence activities. The United States regulates its intelligence activities
6 Pew Research Center, Global Opposition to U.S. Surveillance and Drones, but Limited Harm to America’s Image, Washington, D.C., July 14, 2014, http://www.pewglobal.org/2014/07/14/global-opposition-to-u-s-surveillance-and-drones-but-limited-harm-to-americas-image/.
7 Josh Levs and Catherine E. Shoichet, Europe furious, ‘shocked’ by report of U.S. spying, CNN, July 1, 2013, http://www.cnn.com/2013/06/30/world/europe/eu-nsa/.
according to a legal framework established by the U.S. Constitution. This overarching constitutional structure is premised on the commitment that all governmental activities, even those national security activities most important to the nation’s existence, must be subject to the rule of law. This framework is further explicated by a hierarchy of public statutes and internal executive branch regulations, which include public executive orders and subordinate classified instructions and directives.
All three branches of government have a constitutional role to play in intelligence programs. The executive branch is responsible for executing intelligence programs; congressional committees have responsibility for the initial authorization, funding, and oversight of programs; and the federal courts provide legal review in the course of litigation and also, in a limited number of cases, prior authorization through the specially created FISC.8 Authoritative descriptions of the legal constraints imposed on U.S. intelligence functions are available elsewhere,9 but a brief outline of this legal framework will help illustrate how U.S. intelligence programs function and facilitate the discussion that follows about various programs conducted by the National Security Agency (NSA).
Article II of the U.S. Constitution assigns three functional roles to the President: Commander in Chief, responsibility for the conduct of foreign affairs, and at home, execution of the laws. The responsibilities as Commander in Chief and for foreign affairs carry with them an inherent constitutional power to gather intelligence. Like all such constitutionally granted powers, limits contained in the Bill of Rights amendments to the Constitution apply. With regard to intelligence, particularly the SIGINT for which NSA is responsible, two are particularly relevant: the Fourth Amendment, which protects individuals against unreasonable searches and seizures; and the First Amendment, which protects freedom of speech and assembly, as well as freedom of the press.
The U.S. Supreme Court has interpreted the Fourth Amendment’s protections against a standard of reasonableness so that an individual’s privacy interest must be weighed against the legitimate interests of the government for national security and public safety. In addition, the Amendment has differential applications depending on the purpose of the surveillance, where it occurs (e.g., inside or outside the United States), and the subject of the surveillance (e.g., a non-U.S. person or a U.S. person outside the United States). Finally, the committee notes that privacy
8 Foreign Intelligence Surveillance Act of 1978, 50 U.S.C., Ch. 36 (1978), as amended.
9 Robert S. Litt, “Privacy, Technology and National Security: An Overview of Intelligence Collection,” speech, Washington, D.C., July 18, 2013, http://www.dni.gov/index.php/newsroom/speeches-and-interviews/174-speeches-interviews-2009. See also Dycus, Banks, Raven-Hansen, Vladeck, “National Security Law” (5th edition) and “Counterterrorism Law” (2nd edition), Wolters Kluwer, 2014-2015 supplement.
interests may be limited insofar as information is shared voluntarily with others.10
NSA was originally created by presidential memorandum under the statutory authority of the Department of Defense to create combat support agencies. By contrast, most other agencies that implement the President’s intelligence needs have been created directly by Congress pursuant to their own explicit “organic” statutes. All, however, may only act insofar as they are authorized to do so, whether by statute, regulation, or executive order. In some cases, they are specifically prohibited from action. For example, by statute the Central Intelligence Agency may not conduct domestic law enforcement. NSA, as a part of the Department of Defense, has no separate authorizing statute, but the same prohibition applies to it by regulation.
As has already been noted, law sometimes lags behind changes in technology. One example is that wiretaps were not considered subject to Fourth Amendment protections until 1967 when the Supreme Court concluded that a right of individual privacy existed to protect against warrantless searches.11 In subsequent years, an increasing number of laws have been passed at both the national and state levels to regulate the ways in which the government, including its intelligence components, may make use of evolving telecommunications and computer technologies.
For this report, focused on NSA programs, among the most significant is the Foreign Intelligence Surveillance Act (FISA) of 1978, later amended in 2001 and 2008 to add authorities. Although FISA establishes specific procedures to govern intelligence collection activities that involve U.S. citizens or territory,12 NSA’s institutional charter is found in Executive Order 12333 and is further defined by guidelines called U.S. Signals Intel-
10 Significant for some metadata collection programs, in an opinion authored by Justice Harry Blackmun, the U.S. Supreme Court found in Smith v. Maryland, 442 U.S. 735, 1979, that no “legitimate expectation of privacy” existed if a third party, such as the phone company, already had access to information. Thus, because the phone company had retained the numbers of calls made, collecting them with a “pen register” was not a Fourth Amendment search requiring prior court authorization by warrant. Some question whether Smith remains “good law” today in light of the differing technology involved in modern metadata collection; this is the subject of current litigation.
11 Compare U.S. v. Olmstead, 277 U.S. 438, 1928, holding no Constitutional protection for phone conversations with Katz v. United States, 389 U.S. 347, 1967, finding a right to privacy under the Fourth Amendment for the content of such communications.
12 Foreign Intelligence Surveillance act of 1978 (http://www.gpo.gov/fdsys/pkg/STATUTE-92/pdf/STATUTE-92-Pg1783.pdf), 50 U.S.C. § 1881a, 1978, and brief description of its provisions (http://www.gpo.gov/fdsys/pkg/BILLS-110hr6304enr/pdf/BILLS-110hr6304enr.pdf).
ligence Directives (USSID), the most important of which for this report is USSID 18, which has been declassified in substantial part.13
The original enactment of FISA responded to significant contemporary political pressures, which resulted from abuses revealed in a series of congressional hearings in the 1970s, and demanded greater control of foreign intelligence collection by SIGINT methods when an activity occurs in the United States or involves U.S. persons. The level of statutory and regulatory control responds to political pressures that ebb and flow over time; as will be seen. The 9/11 attacks caused an adjustment in this balance to respond to foreign attacks in domestic space.
At its initial enactment, FISA was not without controversy. Although some argued that there was a critical need for the oversight that FISA provided through a specially created court, others argued (and continue to do so today) the long-standing view that foreign intelligence, as a core presidential function, could not be regulated constitutionally by congressional statute.14 Nonetheless, passage of FISA, which introduced court approval of intelligence collection for the first time, was encouraged by a contemporaneous decision of the U.S. Supreme Court, intimating that much of such domestic national security collection might be subject to Fourth Amendment requirements for prior judicial approval through a warrant application process.15 In response, FISA created a unique procedural approval process overseen by a new Article III court, the FISC, which was designed to authorize electronic intelligence surveillance in the
13 National Security Agency, United States Signals Intelligence Directive USSID SP0018, (U) Legal Compliance and U.S. Persons Minimization Procedures, Issue Date January 25, 2011, approved for release on November 13, 2013, referred to as USSID 18, http://www.dni.gov/files/documents/1118/CLEANEDFinalUSSIDSP0018.pdf.
14 A recently released May 6, 2004, Memorandum for the Attorney General authored by Professor Jack L. Goldsmith, then Assistant Attorney General, Department of Justice, Office of Legal Counsel, describes this view. See Jack L. Goldsmith, Review of the Legality of the STELLAR WIND Program, Office of the Assistant Attorney General, Washington, D.C., May 6, 2004, http://www.justice.gov/sites/default/files/pages/attachments/2014/09/19/may_6_2004_goldsmith_opinion.pdf.
15 Although Title III of the Omnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. §§2510-2520, 1968, authorizes electronic surveillance for specifically limited crimes with a prior court order, a proviso at 18 U.S.C. §2511(3) protected the President’s long-standing right to conduct surveillance for national security purposes. Nonetheless, Justice Lewis Powell’s language in the majority decision of U.S. v. United States District Court (Keith), 407 U.S. 297, 1972, had made clear that this exception would be narrowly construed in cases of domestic security. FISA responded to indications of the direction of Supreme Court decisions. In the Keith decision, it was argued that the defendants, U.S. citizens who had acted only domestically, constituted national security threats by bombing a government facility and so the warrant requirement of the Fourth Amendment did not apply. The Supreme Court rejected this contention, but left open the possibility that the executive branch might not be so limited if national security threats involved foreign powers.
United States by NSA and the Federal Bureau of Investigation upon application to, and approval by, the court. The FISC decisions have remained largely classified throughout much of the court’s history. This proved controversial to some. They questioned the independence of a judicial body that operated largely out of the public eye to authorize intrusive surveillance that, unlike warrants in criminal matters, would likely never be publicly available, lacked any adversarial process, and limited the right of appeal to the government applicant alone. These questions remain and provide part of the backdrop to this report.
As originally enacted, FISA governed electronic surveillance for foreign intelligence or counterintelligence information when collection would occur within the United States. To collect such information, a showing must be made to the FISC establishing probable cause that the target is either a foreign power or an agent of a foreign power. Where the target is a U.S. person, a showing based solely on First Amendment activities is not sufficient. Collection is subject to minimization protections, procedures designed to limit “the acquisition and retention, and prohibit the dissemination, of nonpublicly available information concerning unconsenting United States persons,” but in ways nonetheless consistent with the need for foreign intelligence.16 As a practical matter, minimization involves removing the names of and references to U.S. persons with these exceptions: the information is necessary to assess the value of the foreign intelligence or the targeting of a U.S. person was approved by the FISC.
FISA was amended following the collection of domestic communications metadata that began in 2001. This was done initially at presidential direction outside normal FISA processes, a decision that proved controversial.17 It was subsequently brought within the FISA process in 2006 through the “business records” provision of Section 215 of the USA Patriot Act.18 This allowed the FISC to require production of documents and other tangible things determined relevant to national security investigations, much as other courts do in criminal and grand jury investigations. This provision has served as the authority under which the U.S. government has requested telecommunications providers to produce telephony metadata, when relevant to a national security investigation.19 This provi-
16 See Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. §§1801(h)(1) and 1821(4) (A), 1978.
17 See footnote 14.
18 USA Patriot Act 2001, http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW107publ56.pdf.
19 Standards of relevance vary according to context. What is relevant for a criminal investigation will differ from the far broader standard for civil discovery or a grand jury subpoena. The FISC has acceded to the government’s argument that for national security investigations, “relevance” must be broadly construed. See Robert S. Litt, “Privacy, Technology and National Security,” 2013, p. 6.
sion, approved in the course of several reviews by the FISC since 2006, was also reauthorized by Congress in 2009 and again in 2011. It should be noted that the interpretation of Section 215 permitting bulk collection of such business records, although provided to Congress and relevant committees, was not publicly acknowledged by the U.S. government until after the Snowden disclosures.20
A third provision was added when Section 702 was passed as part of the FISA Amendments Act of 2008 and reauthorized in 2012.21 The Section 702 amendment brought all communications, whether by satellite, radio, wire, etc., acquired with the assistance of electronic communication service providers under FISC oversight and supervision, even though these communications were occurring overseas. Section 702 allows the targeting of non-U.S. persons who are reasonably believed to be outside the United States and expected to possess, receive, and/or communicate foreign intelligence information, consistent with the Fourth Amendment.
Although full communications content, not just metadata, can be collected under this authority, only non-U.S. persons may be targeted for approved foreign intelligence purposes. To ensure that these limitations are followed while preserving the flexibility and nimbleness needed for effective foreign intelligence collection, annual certifications by the U.S. Attorney General are presented to the FISC for approval, rather than specific prior judicial approval on a case-by-case basis.
The foregoing FISA provisions do not fully describe NSA’s collection authority. To ensure that all collection was consistent with constitutional requirements, a broad operational “charter,” Executive Order 12333, “United States Intelligence Activities,” was promulgated in 1981 by the Reagan Administration; this has continued without significant change in collection authorities until the present. This executive order provides the basic authorities and principles under which all national security agencies must operate.22 Importantly, at §2.8, “Consistency with Other Laws,” it provides: “Nothing in this Order shall be construed to authorize any activity in violation of the Constitution or statutes of the United States.” The provisions of Executive Order 12333 are further supported by detailed operating regulations applicable to each individual agency; in the case of NSA, Department of Defense Regulation 5240.1-R, its clas-
20 David S. Kris, On the bulk collection of tangible things, Journal of National Security Law and Policy 7:209, 2014.
21 FISA Amendments Act of 2008, http://www.gpo.gov/fdsys/pkg/BILLS-110hr6304enr/pdf/BILLS-110hr6304enr.pdf.
22 Executive Order 12333, http://www.archives.gov/federal-register/codification/executive-order/12333.html. NSA’s 13 specified responsibilities are defined at Executive Order No. 12333 §1.12(b), 3 C.F.R. 200, 1981, Intelligence Components Utilized by the Secretary of Defense.
sified annex, and USSID 18, approved by the Attorney General, provide the specific implementation guidance for all authorized activities.
USSID 18 offers an important window into the detailed operational authorities that govern NSA activities.23 It begins by observing that all NSA activities must be consistent with the Constitution’s provisions, as interpreted by the U.S. Supreme Court. Annex A to USSID 18 sets forth minimization procedures approved by the Attorney General that govern the handling of information under FISA authority that may relate to U.S. persons. The procedures limit the retention and dissemination of information about U.S. persons, whether or not the information is pertinent. Incidental collection of data about individuals who are not themselves subjects of interest is common to all forms of collection, and the concept of minimization is thus one of long standing in law enforcement activities.
Responding to the legal framework described above, NSA has developed a system of internal compliance and oversight. All parts of the foreign intelligence collection system are involved: access, storage, analysis, and dissemination.
Both manual and automated controls are used to implement the legal search framework that governs foreign intelligence information. Controls and secure databases are used next to protect the subsequent storage of foreign intelligence information. Subsequent review of all actions is extensive. An automatically generated audit trail and internal and external human review are involved. Extensive training for all NSA employees also occurs.
An example of how policy and practical controls work together to protect privacy in the case of data gathered under Section 215 authority is provided in Box 1.1.
The legal authorities under which NSA operates are described in a public document entitled NSA Missions, Authorities, Oversight and Partnerships.24 As noted above, these authorities include Executive Order 12333 and the Foreign Intelligence Surveillance Act of 1978, as amended. Executive Order 12333 is the foundational authority on which NSA relies to collect, retain, analyze, and disseminate foreign SIGINT information.
23 See USSID 18.
24 National Security Agency, The National Security Agency: Missions, Authorities, Oversight and Partnerships, August 9, 2013, https://www.nsa.gov/public_info/_files/speeches_testimonies/2013_08_09_the_nsa_story.pdf.
Privacy Protections for Phone Metadata
Collected Under Section 215
Privacy protections for telephone metadata collected under Section 215 authority were described in a speech by Office of the Director of National Intelligence (ODNI) General Counsel Robert Litt on July 18, 2014.a,b He noted that before reports from queries are returned to analysts, the queries themselves must be approved to ensure compliance with legal and policy rules. These rules may stem from law (e.g., Section 215 restrictions on surveillance of U.S. persons) or from internal controls (e.g., that an analyst must be trained on the proper use of the returned data). All queries must meet a reasonable and articulable suspicion test. These rules seek to ensure that there can be no domestic “fishing expeditions” in which queries seek information about parties unrelated to an intelligence investigation.
Litt also reported on other measures that are applied to protect privacy of Section 215 telephone metadata:
• The information is stored in secure databases.
• The only intelligence purpose for which the information can be used is counterterrorism.
• Only a limited number of analysts may search these databases.
• A search is allowed only when there is already a reasonable and articulable suspicion that the telephone number is associated with a terrorist organization that has been identified by the FISC.
• The data may be used only to map a network of telephone numbers calling other telephone numbers.
• If an analyst finds a previously unknown (domestic) telephone number that warrants further investigation, that number may only be disseminated in a way that avoids identifying a person associated with the number. Further investigation may be done only by other lawful means, including other FISA provisions and law enforcement authority.
• The telephony metadata is destroyed after 5 years.
• Audit records are kept for all database queries, and a set of auditing and compliance-checking procedures applies, implemented by not only NSA but also ODNI and the Department of Justice.
In addition, only a limited number of NSA officials (22) are designated to make a determination that a telephone number satisfies the reasonable and articulable suspicion (RAS) criteria.c
a Robert S. Litt, “Privacy, Technology and National Security: An Overview of Intelligence Collection,” speech, Washington, D.C., July 18, 2013, http://www.dni.gov/index.php/newsroom/speeches-and-interviews/174-speeches-interviews-2009.
b PPD-28 added two additional restrictions: a requirement that the FISC approve the RAS and a reduction in the number of hops that can be followed from three to two (The White House, Presidential Policy Directive/PPD-28, “Signals Intelligence Activities,” Office of the Press Secretary, January 17, 2014, http://www.whitehouse.gov/the-press-office/2014/01/17/presidential-policy-directive-signals-intelligence-activities).
c Testimony of Chris Inglis, Statement, House Permanent Select Committee on Intelligence, Hearing on “How Disclosed NSA Programs Protect Americans, and Why Disclosure Aids Our Enemies,” June 18, 2013, http://icontherecord.tumblr.com/post/57812486681/hearing-of-the-house-permanent-select-committee-on.
According to the document mentioned immediately above, some of the most important FISA authorities include the following:
• Section 215 of the USA Patriot Act (corresponding to Section 501 of the FISA Act as amended), under which NSA collects information (metadata) about telephone calls to, from, or within the United States.
• Section 702, under which NSA is authorized to target non-U.S. persons who are reasonably believed to be located outside the United States but who are using U.S. communications service providers. NSA believes that collection under this authority is “the most significant tool in the NSA collection arsenal for the detection, identification, and disruption of terrorist threats to the U.S. and around the world.”25
• Section 704, under which NSA is authorized to target a U.S. person outside the United States for foreign intelligence purposes if there is probable cause to believe the U.S. person is a foreign power or is an officer, employee, or agent of a foreign power. Use of this authority requires a specific, individual court order.
• Section 705(b), under which the Attorney General may approve a collection similar to that allowed under Section 704 against a U.S. person who is already the subject of a FISC order obtained pursuant to Section 105 or 304 of FISA.
In addition, PPD-28 limited the purposes for which SIGINT collected in bulk can be used to six purposes, namely for detecting and countering the following:26
(1) Espionage and other threats and activities directed by foreign powers or their intelligence services against the United States and its interests;
(2) Threats to the United States and its interests from terrorism;
(3) Threats to the United States and its interests from the development, possession, proliferation, or use of weapons of mass destruction;
(4) Cybersecurity threats;
(5) Threats to U.S. or allied Armed Forces or other U.S. or allied personnel; and
(6) Transnational criminal threats, including illicit finance and sanctions evasion related to the other purposes named in this section.
There have been two important changes to the Section 215 program as a result of the current public debate. A January 2014 presidential state-
25 Joint Statement: NSA and Office of the Director of National Intelligence.
26 The White House, Presidential Policy Directive/PPD-28, “Signals Intelligence Activities,” 2014.
ment announced that the number of “hops” would be reduced from three to two and that the FISC would be tasked with approving RAS selectors.27
27 See The White House, “Remarks by the President on Review of Signals Intelligence,” 2014, and U.S. Foreign Intelligence Surveillance Court, “In Re Application of the Federal Bureau of Investigation for an Order Requiring the Production of Tangible Things. Order Granting the Government’s Motion to Amend the Court’s Primary Order Dated January 3, 2014,” Docket No. BR 14-01, Washington, D.C., http://www.uscourts.gov/uscourts/courts/fisc/br14-01-order.pdf.